On Jan. 21, the Foundation for the Malcolm Baldrige National Quality Award, Inc. announced the 2020 recipients of the Baldrige Foundation Awards, which “recognize outstanding individuals, leaders, and supporters who embody Baldrige leadership values and principles, and who have provided great service to the Baldrige community.” A core vision of the foundation is to promote performance excellence in all sectors of the economy.
The announcement on that day encompassed four types of awards, including the Foundation Awards for Leadership Excellence, awarded to 11 leaders working in a variety of professional fields. One of the 11 was Mac McMillan, CEO emeritus of the Austin, Texas-based CynergisTek consulting firm, of which he had been CEO until late last year.
“Baldrige makes healthcare safer and more accessible, education more effective, businesses more efficient and customer-focused, cyber systems more secure, governments more streamlined, and nonprofits more responsive. These great leaders are helping to ensure the sustainability of Baldrige into the future,” said Al Faber, president and CEO of the Foundation for the Malcolm Baldrige National Quality Award.”
What’s more, that was not the first award recently recognizing McMillan. On Nov. 5, the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) bestowed on him the 2019 CHIME Foundation Industry Leader Award. As a press release published by CynergisTek on that date noted, “The award recognizes a CHIME Foundation Firm representative who has demonstrated exceptional dedication and made outstanding contributions to the healthcare IT industry, CHIME, and CHIME Foundation. It is the highest honor given to a Foundation Firm member.” The CHIME Foundation is the collaborative group representing CHIME sponsoring organizations.
“Cybersecurity in the healthcare sector would not be where it is today without Mac,” said CHIME President and CEO Russell Branzell, in honoring McMillan in November. “When Mac founded CynergisTek, many providers were not even thinking about cyber threats and the damage they could do to patients and their organizations. Mac made it his mission to educate our community. He has been a true friend to CHIME and AEHIS. It is an honor to recognize him for all he has done over the decades.”
The press release quoted McMillan as stating that “This is an incredible honor and I am humbled to be recognized by CHIME and its members for this award. It has been a privilege to work alongside and learn from so many health IT leaders in this organization during my career.”
Shortly before the public announcement of the Baldrige Foundation Award, McMillan took the opportunity to speak with Healthcare Innovation Editor-in-Chief Mark Hagland regarding the state of cybersecurity in the U.S. healthcare system in this moment, and the challenges facing the entire industry. Below are excerpts from that interview.
First of all, congratulations on these awards. It’s excellent that you are being recognized for your leadership in the industry.
Thank you very much, I appreciate it.
Given your years of leadership in the industry, it is good to be able to sit down with you and discuss the current landscape. What would you like to share with us regarding how you see that landscape right now?
Well, regarding the Leadership Award from the Baldrige Foundation, it is worth noting that the Baldrige Foundation is based at and managed by NIST, the National Institute of Standards and Technology, which is an agency of the U.S. Department of Commerce. And NIST formulates data security standards.
In that regard, I truly believe that the industry needs to recognize how important cybersecurity is to [healthcare], make the move to adopt the NIST framework as its standard, and move away from the HIPAA security rule, which we all know is inadequate.
The president’s taskforce on cybersecurity recommended this. And then the follow-up on that was the 405(d) Task Group, which is part of the NIST Cybersecurity Taskforce, a a public/private group that was [tasked] to come up with recommendations. They also supported the adoption of the NIST Cybersecurity Framework. It is the standard framework across all federal agencies, and it is also the most widely used cybersecurity framework across industries. That includes healthcare; yet it is not our standard. It’s not just me saying it; there’s a whole body of groups who agree with me.
So that’s a first piece of my parting message to the industry: stop messing around, recognize that the HIPAA security framework is inadequate in today’s environment, and adopt a framework that will do what it takes to protect healthcare.
The second message I’d like to share is: invest in cybersecurity education. We know we have a shortage of people with the qualifications and skill sets, but it’s not just that. In today’s environment, every single person who touches a computer for his or her job needs to receive cybersecurity education. You can’t just rely on the cybersecurity professionals to protect us; everybody has to play their role. But we have too many people touching computers and using technology, who have no clue what they should be concerned about.
I just had lunch with Aaron Miri, CIO at Dell Medical School and UT Health Austin. They’re incorporating cybersecurity training into the curriculum for healthcare professionals. And that’s where we need to get to. If we really want to solve this problem, every person who touches a computer needs to be taught at least the basics of cybersecurity if we are to have a hope of combating this stuff.
The third thing is, get more serious about security, from a technology perspective. The landscape that we’re dealing with today is far more serious than it has ever been in terms of what the threat actors can do to an organization. There was a recent discussion about the ‘Wiper’ phenomenon from Shamoon, the Iranian hacker group. If you look at the attacks they’ve run, they’re absolutely devastating. They’re just about at the level of destruction. When organizations get hit by these Wiper attacks, there is no recovery: they destroy the computer, they destroy the software, they destroy the data. It is literally destructive. And they’ve done this mostly in other countries, in Europe and the Middle East. They haven’t yet pointed it towards the United States—so far only towards U.S. companies operating in the Middle East. And I can guarantee you, nobody here is ready. If nation-state actors decided to go after private business, they would devastate them. We have hospitals that still today are not monitoring their network.
In our State of the Industry Survey, we found that nearly half of patient care organizations weren’t doing any behavioral monitoring at all.
Yes, it’s incredible. We have to get serious about the investment we’re making in healthcare, in the technology, and in the proactive threat-hunting and management of security. We’re just not there.
As the U.S. healthcare industry makes the shift from volume to value, the demand for everyone to be sharing more and more data is intensifying across the industry. At the same time, with the threat vectors accelerating everywhere, the danger to IT and data security is increasing daily now. How do you see that tension playing out?
I see that tension escalating. The technology evolution won’t slow down. The need to share more data won’t slow down. The need to accelerate data-sharing won’t slow down. And all of those things speak to the need for greater cybersecurity; but at the same time, it creates challenges. Healthcare is not like banking, or education, or the government, or retailing. They treat data as a thing. They can put very stringent controls and restrictions around information, because they don’t kill anybody if somebody doesn’t get access to data, whereas in healthcare, the information we have is tied to a person, and to caring for a person, and often, to caring for that person in a very timely manner. Oftentimes, it’s a matter of minutes to save somebody’s life. And we can’t just continue to apply the antiquated practices to healthcare; we need to be more sophisticated about it. We may need to be more flexible on the access side to support operations, and more capable on the monitoring side, to catch inappropriate behavior more quickly.
You and I as authorized users can follow the rules all day long, and still violate privacy. As long as we don’t do anything outside what our access allows us to do, we can look at things we’re not supposed to be looking at and the system will never catch that if we’re just using a rules perspective.
But a behavioral monitoring system knows how many patients we see a day, the types of patients we see, and the department we’re working in. And if it knows all those things and sees that we’re accessing the system at a time that’s not normal, it can alert us. Or if it sees us looking at patients that are not typical of the ones we look at, the system can question that. That’s the difference between a behavioral-based tool and a rules-based one.
If there’s a single area where healthcare is behind, it’s around behavioral monitoring, correct?
Yes, that’s absolutely correct; there’s still too much focus on compliance, and not enough on the protection of data. My experience is that when you do a better job of protecting the data and ensuring its privacy, you take care of compliance; compliance is the byproduct. Most of the tools that are out there are still designed with compliance in mind, as opposed to real security or real privacy. And if you look at FairWarning, Iatric, Protenus, and all the other solutions out there—over here, you’ve got the compliance-based monitoring tools, and over there, you’ve got the behavioral-based monitoring tools; and the behavioral-based ones eliminate more false positives and are more accurate, but are also able to see things the other tools can’t even see.
How do CIOs make the financial argument for investing in cybersecurity to their C-suites and boards, in a time of straitened resources?
I think the first thing is that there has to be an appreciation for cybersecurity in healthcare today, just as in other industries; that this is a legitimate cost of doing business. If you’re going to have computers, and automated practices, and your business relies on these systems, which they are, then you have to provide adequate protection to protect the business.
People say, ‘I have to justify the cost.’ Well, what’s the analysis if you were to lose your systems? How much would it cost you if you lose your systems for a day? For a week? What if you got hit by a Wiper attack and lost your systems for a month? If you look at the ROI from simply applying encryption—encryption literally costs dollars per device to encrypt everything, yet it can save you thousands to millions of dollars in terms of loss and fines and everything else.
This is the age-old problem that security has always had, and insurance, too—that there are people willing to drive without a seatbelt. What kind of organization are you? Are you an organization that’s willing to take unreasonable risk? If you can’t provide services or have to turn people away from the ER, you’re putting people’s lives at risk, or at least people’s health.
We always say that healthcare cares about people; well, if that’s the case, then we need to invest in these technologies and processes. We have to stop making this a dollars and cents discussion, and make it a patient safety discussion. This puts public safety at risk, it puts your public image at risk, and puts you at risk of fines and beyond. You cannot argue to me that the cost of protecting your data and systems is not worth it. A full-blown monitoring system, a SOC [security operations center] monitoring your network costs $100,000 to $1 million a year; $100,000 is one salary. You’re trying to tell me you can’t justify spending $100,000 to monitor your network accurately in today’s environment? It’s just ridiculous.
We spend all kinds of dollars on compliance, and compliance generally is not a material risk to the business. How many hospitals have been put out of business because of poor compliance? None. But I can share with you several organizations, including some recently, that have closed their doors because of a cyberattack.
Tell me how you see this landscape five years from now?
I think things are going to eventually get there, because I think we’re going to be forced to. By that I mean if the threat continues to escalate as it’s been doing, and technology continues to increase its level of sophistication, speed, and data-sharing, we are going to be forced to do it whether we like it or not. But do we really have to suffer the pain, or can we just get smarter and get there now? That’s the real issue. Do you really have to go through a breach to understand that you need to protect yourself?
I think this had to be brought out of the abstract for many people, in the form of numerous devastating breaches and other events.
Unfortunately, that’s still true. I’m meeting with the leaders of one particular hospital organization next week, and I’ve reviewed everything they’ve shared with me, and the most glaring issue is that they’ve spent tons of time and money developing a great compliance program and policies. Yet they have absolutely no monitoring whatsoever of their network. I told them, I said you’re like the emperor with no clothes. Everybody else knows you’re naked, but you don’t. You’re focused on compliance and your program, and yet no one is watching who’s coming in the back door. Somebody could come into your network right now and you’d have no clue. And I told them, that is not where I would want to be if I were in charge of this organization.
Are they listening?
They are. But the first thing I’ll do is to interview the CEO, the CIO, and the CISO, and then I’ll decide whether I want to do it. Assuming that goes well, you’ll show me all your security stuff from last three years to be reviewed, and then your current budget and security plan for the next three years, then I’ll decide again, because if you’re not serious, I’m not interested. And the last stipulation is that I am going to tell the board what I think the board needs to hear about your program—not what you want the board to hear. I will have the courtesy to tell you what I tell you, before I tell them, but I won’t change what I tell them because you’re uncomfortable.
They agreed to all and I did the interviews with a great bunch of people. I realized they had this big hole in their program. So I said, OK, let’s talk about the first board meeting and what I would and will say to the board. I shared with them my observations. They said, OK, what do we need to do to fix that? And they’ve already started doing it. So the good news is that next week, when I tell the board that this is one of the big issues involved, the CEO and the CISO will be able to stand up and say, ‘He’s already told us about this, and we’ve started working on it.’ And the CISO in this system reports to the CEO, not the CIO.
That’s another thing that we should address: where does cybersecurity belong in the 21st century? Does it still belong under the CIO, or should it report separately? If you look at publicly traded companies, the FCC now requires the CISO to report to the CEO and the board. In government, directors of security report to the agency heads, not to the CIO. In banking, the chief security officer reports to the bank president, not the CIO. Only in healthcare do we still have the predominant number of CISOs reporting to CIOs, not CEOs.
Should that change?
Yes, it should, because as soon as that reporting relationship changes, you now have an independent voice telling the board what needs to be said.